Nested AD group is not respected with SSSD

I have a domain joined server, configured with sssd. In sssd.conf I use

ad_access_filter = (memberof=CN=CustomGroup,OU=Security Group,DC=company,DC=com)

This works well for users in CustomGroup but not for users in the Nested_CustomGroup group that is a member of CustomGroup

My sssd.conf looks as follows:

[sssd]
domains = company.com
config_file_version = 2
services = nss, pam

[domain/company.com]
ad_domain = company.com
krb5_realm = COMPANY.COM

cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ignore_group_members = False
ldap_group_nesting_level = 2
use_fully_qualified_names = False
fallback_homedir = /home/%u
case_sensitive = false
access_provider = ad
auth_provider = ad
enumerate = false
ad_gpo_access_control = disabled
ad_access_filter = (memberof=CN=CustomGroup,OU=Security Group,DC=company,DC=com)

sshd journal log during user from nested group login:

server sshd[30781]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=someuser
server sshd[30781]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=someuser
server sshd[30781]: pam_sss(sshd:account): Access denied for user someuser: 6 (Permission denied)
server sshd[30781]: Failed password for someuser from x.x.x.x port 26241 ssh2
server sshd[30781]: fatal: Access denied for user someuser by PAM account configuration [preauth]

Any ideas? Thank you,

In order to query recursive or nested group memberships of an account against Active Directory in LDAP syntax, you need to make use of the OID 1.2.840.113556.1.4.1941, which is the OID for LDAP_MATCHING_RULE_IN_CHAIN or LDAP_MATCHING_RULE_TRANSITIVE_EVAL

In your case, you would need to adjust your access filter to

(memberOf:1.2.840.113556.1.4.1941:=CN=CustomGroup,OU=Security Group,DC=company,DC=com)